June 22

Event takeaways: BSidesMeSh21 – day 2

Code, Security

0  comments

My key takeaways

  • 11 min from publishing credentials (accidently) to github till pwn
  • 2019: ~200k credentials in Github ; 2021: +20%
  • runtime secrets go to application secrets managers
  • InfoSec's dirty little secret:

    We can't know all the options, but we still need to help secure all the things -- Jenn Janesko

  • Ideas, how to solve this according to Jenn:
    • start small, pick something achievable
    • select and verify tooling
    • trial it with some teams
    • document and curate code artifacts
    • rinse and repeat
  • black hats use NDS/CAS to proof that their malware will evade AV detection
  • these tools also offer periodic scans for burnt infrastructure and updates of AV on the malware of the bad actor
  • AI made it through the trough of disillusionment
  • if an attacker is able to poison the training data of an AI, it will make it at least useless if not backfire
  • attacker have poisoned image classification AI by adding noise of images which would be a positive match and is invisible for human QA, making AI believe that a dog is a fish :-D
  • Mitigations to get your AI poisoned:
    • filter suspicious data origins
    • fault-tolerant data sampling
    • diff-tracking (detection)
    • reliable benchmark (detection)
    • no silver bullet availble
  • WAF with a positive security model needs to build a baseline <- prone to get poisoned
  • Why allow access to AI training data in the first way?
    • depends also on budgets, if you have to rely on external sources eg use of crowdsourced data or public influencial data like webtraffic
  • Botnets are all over the place
    • Crpyto-Miners <- most common at the moment
    • Ransom-botnets
    • DDOS
    • BNaaS
  • Most Botnets get known by accident or are sometimes hunted by security researchers for fame. No commercial benefit, no continous hunting from the private sector. Remains a duty for law enforcement
  • Ransomware has increadible timelines from infection to ransom demand: 5 - 1h only
  • "Tradecraft":

    the skills and methods used by someone doing a particular job -- Sajal Thomas

  • Adversary profiles:
    • criminals:
      • noisy
      • smash & grap
      • take what you can get and extort
    • APT
      • stealthy
      • low & slow
      • specific information and persistent access
  • Operation tempo will vary on type of adversary
  • A lot of EDR, NDR, XDR will need 30-90 days to learn what is "normal"
    • a lot of time for an attacker
    • if beacon is placed in this time, it will be considered as normal traffic
  • Cobalt Strike is a framework used by security researchers as well as by criminals
    • well known and heavily signatured but used anyway as it saves time and effort for criminals and is tested in "production". It is also hard to attribute as used by almost everyone.
  • code-sign-malware is getting more and more prominent on dark markets
  • OpSec failures like loud Kerberoasting is only a problem for the attacker, if the victim has effective SIEM in place
    • a "funnel of fidelity" is needed due to finate ressources in security teams: Event -> Alert -> Lead -> Incident
  • secruity systems like card access systems, CCTV,... can send data to centralized log management systems as well to give a more complete picture
  • Greylog is open source and can be run on a Pi
    • good for homelab testing

Env

additional links

agenda

  • 13:00 - 13:05
    • Opening Day 1 ;
  • 13:05 - 13:40
    • BSides Munich Keynote - InfoSec's Dirty Little Secrets ; Jenn Janesko
  • 13:40 - 14:00
    • No Distribute Scanners: A Perfect Testing Ground for Malware Developers ; Mathieu Gaucheler & Florian Murschetz
  • 14:00 - 14:35
    • AI in a Minefield: Learning from Poisoned Data ; Itsik Mantin
  • 14:35 - 14:45
    • Coffee Break ;
  • 14:45 - 15:15
    • CrimeOps of the KashmirBlack Botnet ; Sarit Yerushalmi & Ofir Shaty
  • 15:15 - 15:45
    • Modern Adversary Tradecraft ; Sajal Thomas
  • 15:45 - 16:10
    • Coffee Break ;
  • 16:10 - 16:45
    • Padding Oracle Attacks - The critical bug in your home-brewed crypto protocol ; Henning Kopp
  • 16:45 - 17:15
    • The Care and Feeding of Meerkats ; Sascha Steinbiss & Andreas Herz
  • 17:15 - 17:35
    • Log Management Keeps Your Network Secure -- Real-World Examples ; Jeff Darrington
  • 17:35 - 17:40
    • Closing Notes and Virtual Prosit with organizers ;

Tags

AI, botnet, BSides, conference, cryptography, darknet, DevSecOps, event, logging, malware

You may also like

AI Cyber Security 2025: Key Threats and Essential Strategies for Your Business

Artificial Intelligence is transforming businesses and industries worldwide, but with this transformation comes unprecedented challenges. The recent launch of Cisco AI Defense, a specialized AI security solution, highlights the urgency of securing AI applications. According to Cisco, only 29% of enterprises feel fully prepared to detect and prevent unauthorized manipulations of AI systems. This low

Read More

SPQA: A Radical AI Architecture—and Why Security Must Adapt

Introduction Until recently, many developers laughed at the notion that Artificial Intelligence might write their code someday. Yet code assistants like Cursor, Bolt.new, and Copilot—already adopted by 51% of enterprises [1]—show how swiftly AI is reshaping software development. At the same time, spending on generative AI skyrocketed from $2.3 billion in 2023 to $13.8 billion

Read More
Leave a Comment